From 4ccd3b6bb1fffec5aef5eb8442de83926100c050 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.git.eeqj.de>
Date: Mon, 2 Mar 2026 12:05:39 -0800
Subject: [PATCH] ci: pin checkout action by SHA, run on all branches

- Pin actions/checkout to full SHA (v4.2.2) to prevent mutable tag RCE
- Remove branch filter so CI runs on push to every branch, not just main
---
 .gitea/workflows/check.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml
index ec317c3..eafafa8 100644
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -2,12 +2,11 @@ name: check
 
 on:
   push:
-    branches: [main]
   pull_request:
 
 jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: docker build .